In Google Attack Aftermath, Operation Aurora Keeps on Hacking

The Operation Aurora hackers, who compromised Google's infrastructure a few years ago, are still at it, targeting defense contractors and other companies in their supply chains. The group is persistent, sophisticated and most likely government-sponsored, said Grayson Milbourne, director of threat research at Webroot.

By Richard Adhikari
Sep 8, 2012 5:00 AM PT

The gang behind
Operation Aurora, a coordinated attack that hit Google and tens of other large United States corporations, is alive, well and hacking away,
Symantec said.

Over the last three years, the gang has used lots of zero-day attacks against not just defense corporations, but also the manufacturers in their targets' supply chains.

Overview of the Attacks

The attackers are systematic, meaning "these attacks are not going away and the group is systematically targeting victims," Thakur explained. Once a zero-day exploit was in danger of being exposed during an attack, the hackers would replace it with another zero-day exploit, thus extending the life of the attack.

The hackers reuse components of an infrastructure Symantec has dubbed the "Elderwood Platform," after the exploit communication used in some of the attacks.

This platform lets the hackers quickly deploy zero-day exploits.

The primary targets are companies in the defense industry supply chain. Symantec said these companies may have weaker security than top-tier defense contractors.

"The Elderwood attacks appear to be very well organized and targeted towards intellectual property," Thakur said.

Flaws Exploited

The hackers used four zero-day exploits in the past few months, Symantec said.

Two of the four leveraged flaws were in the Adobe Flash platform.

They are the Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779) and the Flash Player Remote Code Execution Vulnerability (CVE-2012-1535).

Consumers and businesses should "keep their software and security protections up-to-date," Lips suggested.

What's In a Name?

The hackers involved have always used
spearphishing emails, Symantec said, but they are now increasingly using a technique dubbed "watering hole" attacks.

This involves the hackers' compromising certain websites they believe will likely be visited by their targets, much like predators sit around watering holes.

That's nothing new, said Randy Abrams, a research director at NSS Labs. "The term 'watering hole' probably came about when a marketing professional watched the animated film 'Madagascar' and figured that a targeted drive-by needed a new name to make it more marketable," he told TechNewsWorld.

Plenty More Where That Came From?

The hackers apparently have access to lots of zero-day exploits, Symantec believes.

"We know how difficult zero-day vulnerabilities are to come by, and the resources required to obtain them," Symantec's Thakur said. "This group definitely has the largest cache of zero-days we've ever seen utilized."

The hackers "seem to be very well resourced, which would explain the research they're able to perform in order to locate those zero-day vulnerabilities," Thakur remarked.

"Code has become so complex that multitudes of vulnerabilities are bound to exist," NSS Labs' Abrams said. "If a target is cost-effective, then massive resources can be put into exploit discovery and development. Finding holes is always easier than writing vulnerability-free code."

That kind of effort to locate zero-day vulnerabilities is needed because "in most cases, these exploits are fixed very soon after being discovered," Grayson Milbourne, director of threat research at Webroot, told TechNewsWorld.

Anonymous May Be Innocent

It's unlikely that the hacker group
Anonymous, which has previously vowed to target defense contractors, was behind the Elderwood attack, Webroot's Milbourne said.

"I would say these are more organized, possibly government sponsored, attacks," Milbourne said. "It's hard to say for sure, but typically Anonymous likes to take credit for their hacks."